Critical Persistent XSS 0day in WordPress

36 comments

1. Any word or knowledge on whether using a commenting system – like Disqus here – helps here? Or, because it still allows comments to be injected, are users of that plugin just as vulnerable?

   1. Hey Cat! This is Mike L from Umass Lowell.. I was just reviewing this article for one of my clients and to my surprise found your comment!

      1. Dude! Hey! That’s wicked funny.

         You should catch me online sometime. @rentageekmom on twitter if you want to grab my email address. 🙂

2. I also want to know if wordpress blogs using Disqus are affected. Also, would it help if all comments are moderated? Thanks.

   1. As they said this is a method you as the admin can be the one attacked once you go to administer the comments so comment moderation is not a really good solution.

      1. Thanks. Actually, I moderate Disqus comments via email or via the Disqus dashboard. With Disqus, I don’t have to administer comments inside wordpress via the admin dashboard. However, comments approved in Disqus will be synced to wordpress so that’s an area of concern. Any ideas?

      2. Actually the Klikky Oy site says “the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.”

         So making sure all comments go to moderation, then only approving genuine comments will protect you.

         WordPress has an option to allow ‘must have a previously approved comment moderations’, which won’t work, as a hacker could post a genuine comment, then come back to post the hack which bypasses moderation.

3. Does WordPress know about this? From the blog article you referenced, it doesn’t sound like WP is responding to them. I can disable comments for a day, but I can’t do it much longer than that. Can we count on a patch coming through?

   1. WordPress is aware of the issue and is working on a patch. If you have Akismet installed, these comments will already be automatically flagged as spam.

      1. Okay. I do have Akismet. I’ve routinely delete those spam comments to the trash. Should I just leave them for the time being?

      2. So I simply shouldn’t check my spam queue then? Will it affect WordPress sites on 4.2 with Disqus installed?

      3. The vulnerability should not affect the comment queue in the administrative panel. The only risk is when the comment is approved and the administrator subsequently views the comment on the post’s page. You can empty your spam as usual.

         1. Thank you! In the meantime, I’ve disabled comments.

         2. So can we safely view the spam comments in the spam panel, as long as we don’t approve the infected ones? I routinely get legit comments sent to spam so I check my spam queue regularly. Comments downthread are suggesting that even viewing them could be dangerous?

            1. You can indeed safely view the spam comments in the spam panel (according to the researcher’s website) as long as you do not approve the malicious ones.

            2. Thanks very much, Cedric!

4. I’m assuming the hacker would need to have an approved comment first otherwise this code would not appear without being approved by the Admin. Correct?

   1. It entirely depends on how the site is configured. If you have the “Comment author must have a previously approved comment” option enabled, then yes :).

5. Updated, thanks.

6. I’m a huge fan of WordPress, and I don’t know how much work is involved to patch this, but it’s very disappointing to read they haven’t responded to attempts to notify them about this vulnerability. Particularly as WP have been so proactive recently in pushing updates, and working with Yoast, Sucuri and other plugin authors to patch vulnerable plugins over the last few weeks.

   I’m sure virtually all website owners would prioritise security over functional improvements shipped with versions 4.1 and 4.2. Let’s hope this was some kind of communication breakdown.

7. Looks like WP just pushed out 4.2.1 – i guess / hope thats the reaction to this? anyone?

8. I run Varnish in front of our webserver, and can filter requests before they hit Apache. I’ve done this to block Shellshock as well as common hacking attempts.

   I am wondering what the request might be – and then I could build a regex to deliver a 403 Error to any requests trying to exploit this. It’s not immediately obvious how these POST requests might look in the wild. I also suppose that Varnish can’t inspect POST requests – so it makes it a little difficult to block.

   Any thoughts?

   1. Maybe not the payload content, but perhaps you could put a rule in that limits request size (being that this is an overflow attack) for POST requests to the PHP comment post endpoint.

      (BTW, care to share your VCL for shellshock etc?)

9. Does this affect the wordpress jetpack comments?

10. If you have Akismet running there is a good chance that the comments will get flagged as spam so do not check your spam queue.

11. Do you think the following .htaccess or apache config can mitigate the issue? thank you.

    LimitRequestBody 65000

12. Thank you for this information, we will check our blogs for this problem.

13. cool

14. alert(“I am an alert box!”);

15. hello word

16. XSS

17. With Gain Credit Personal Loans, you can get instant loan/money for a
    wide range of your personal needs like renovation of your home, marriage
    in the family, a family holiday, your child’s education, buying a
    house, medical expenses or any other emergencies. With minimum
    documentation, you can now avail a personal loan at attractive 3%
    interest rates. This is trust and honest loans which you will not
    regret, Contact us via Email: gaincreditloan01@gmail.com

18. Hello Everybody,

    I am Kristen Oh Lim I live in Baskent and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $45,000 to start my life all over as i am a single mother with 3 kids I met this honest amuslim man loan lender that help me with a loan of $45,000. he is a muslim man, if you are in need of loan and you will pay back the loan please

    contact him tell him that Kristen Oh Lim that refer you to him. Contact Mr.Jubrin nelson via email: (globalteamlendingfirm@gmail.com)

19. Hello, I am Malissa Delh, currently living in New jersey city, USA. I am a widow at the moment with three kids and i was stuck in a financial situation in February last 2016 and i needed to refinance and pay my bills. I tried seeking loans from various loan firms both private and corporate but never with success, and most banks declined my credit. But as God would have it, I was introduced to a Man of God a private loan lender who gave me a loan of $85,000USD and today am a business owner and my kids are doing well at the moment, if you must contact any firm with reference to securing a loan without collateral , no credit check, no co signer with just 3% interest rate and better repayment plans and schedule, please contact Mr Jubrin Nelson. He doesn’t know that am doing this but am so happy now and i decided to let people know more about him and also i want God to bless him more.You can contact him through his email: globalteamlendingfirm@gmail.com

20. alert(“XSS”)

21. WordPress fix this

Comments are closed.